December 5, 2023

Microsoft has patched the information disclosure vulnerability in SPNEGO NEGOEX tracked CVE-2022-37958 in September 2022. Now, the vulnerability allows threat actors to conduct an RCE and reclassified the severity as critical.

The SPNEGO Extended Negotiation (NEGOEX) Security Mechanism enables a client and server to agree on a type security mechanism to deploy was found vulnerable. A pre-authentication remote code execution vulnerability affects a large number of protocols and is potentially wormable.

Using this vulnerability, threat actors could remotely execute code by using the NEGOEX protocol via any Windows application protocol that authenticates by default. SMB, SMTP, HTTP, and RDP Protocols will be abused.


There is no need for a victim to interact with a target system or authenticate themselves prior to being exposed to this vulnerability.

Like, CVE-2017-0144 vulnerability that EternalBlue exploited for the WannaCry ransomware attacks only impacted the SMB protocol. Researchers claim that CVE-2022-37958 vulnerability is even more dangerous. The SPNEGO vulnerability can affect a wider number of Windows systems since it can also affect HTTP, RDP, and SMB.

It’s been advised to further review the services exposed to the internet, like SMB and RDP. Continuously monitor the attack surface and make sure that Kerberos or Net-NTLM are the only Windows authentication providers.

If you can`t apply the patch on your machine, its recommend removing “Negotiate” as a default provider.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.